[Snort-users] Barnyard not reporting to syslog-ng

Billy Marshall Billy.Marshall at ...9988...
Fri May 22 10:38:33 EDT 2009


Hi all,            (apologies for any duplicate emails)
 
I have searched and fiddled with Barnyard for about a month and I am unable to get it to report to syslog-ng. I have been able to get Snort to report so the syslog-ng.conf.in file is correct.
 
Also, When I issue the following it appears in the /var/log/snort/snort.alert log file:
 
logger -p local3.notice "THIS IS AN ALARMING ALARM"
 
Here are my configurations (I am on a DL380 G5 server running SuSE 10 r2)
I have scripts to start and stop snort and barnyard 
to reload syslog-ng.conf.in 
SuSEconfig --module syslog-ng 

syslog-ng.conf.in 
filter f_local3 { facility(local3); }; 
# Send SNORT local3 logs to remote syslog daemon: 
destination snortlogremote { udp("xxx.xxx.xxx.xxx"); }; 
log { source(src); filter(f_local3); destination(snortlogremote); }; 
# Send SNORT local3 logs to logging file: 
destination snortlogs { file("/var/log/snort/snort.alert"); }; 
log { source(src); filter(f_local3); destination(snortlogs); }; 

Snort.conf 
output alert_unified: filename Snort.alert, limit 128 
output log_unified: filename Snort.log, limit 128 

Barnyard.conf (I have tried both of these but not at the same time) 
output alert_syslog: LOG_AUTH | LOG_ALERT 
output alert_syslog2: severity:ALERT; facility:LOCAL3; syslog_host:localhost; 
 
This is var/log/messages 
I never get any new data via syslog-NG 
but my database is growing. 

barnyard[6635]: Exiting 
barnyard[32477]: Initializing daemon mode 
barnyard[32478]: Opened spool file '/var/log/snort/Snort.log.1242239309' 
barnyard[32478]: Waiting for new data 

Any help would be very appreciated
 
Cheers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090522/9ad4f740/attachment.html>


More information about the Snort-users mailing list